Privacy Policy

How NAIAQ collects, uses and protects personal data.

This Privacy Policy explains how NAIAQ handles personal data when customers, providers, staff users, admin users, visitors and future mobile app users interact with our platform.

Last updated: 29 May 2026 Version 1.1 Applies to NAIAQ website, dashboards and app

Introduction

This Privacy Policy explains how NAIAQ collects, uses, stores, shares and protects personal data when you use our website, dashboards, marketplace features, support channels, emails, future mobile applications and related services.

It also explains your rights under the General Data Protection Regulation, the Irish Data Protection Acts and related Irish/EU privacy rules.

This policy should be read together with our Terms and Conditions and Cookie Policy.

Who we are

Shy Shell Technologies Limited, trading as NAIAQ, is the data controller for personal data collected through the NAIAQ platform unless a specific service flow or written agreement says otherwise.

NAIAQ is an Ireland-first online marketplace that helps customers post job requests and helps independent providers, provider staff accounts and admin users manage service-related interactions.

Trading name NAIAQ
Legal operator Shy Shell Technologies Limited
Registered office Unit 2, 2 Bridge Street, Athlone, WESTMEATH, N37 F1W4, Ireland
Privacy email contact@naiaq.ie
Support email contact@naiaq.ie
Website https://naiaq.ie
Data protection contact contact@naiaq.ie

If NAIAQ appoints a Data Protection Officer in the future, the DPO contact details will be added to this policy.

What data we collect

Depending on how you use NAIAQ, we may collect the following categories of personal data:

  • Identity and contact data: names, email addresses, phone numbers, account identifiers, business contacts and support contact details.
  • Account and login data: encrypted passwords or authentication records, account role, account status, login timestamps, staff invite status, admin invite status and access permissions.
  • MFA and security data: email-code MFA status, passkey credential metadata, recovery-code status, security challenge timestamps, audit logs, IP address, user agent and step-up verification records. NAIAQ does not store plaintext MFA codes, plaintext recovery codes or passkey private keys.
  • Customer job data: job descriptions, category, subcategory, urgency, property type, address, Eircode, photos, job status, messages and replies.
  • Provider data: provider profile, business details, service categories, service listings, portfolio items, review link, coverage/routing areas, staff accounts, staff roles, calendar jobs, business registration details where provided and provider dashboard activity.
  • Staff account data: staff name, email, role, invite status, assigned jobs, roster/schedule information where enabled, dashboard activity and job completion updates.
  • Admin user data: admin identity, role, status, invite records, admin actions, audit logs and reasons for sensitive actions.
  • Payment and subscription data: Stripe customer/subscription references, plan tier, billing cycle, subscription status, checkout status, payment event references, invoice status and tax/accounting records. We do not store full payment-card details.
  • Reviews and user content: ratings, review text, public replies, uploaded images, service listings, portfolio images, profile content, support attachments and messages.
  • Support and dispute data: support messages, contact requests, internal notes, dispute information, attachments and communications needed to investigate or resolve issues.
  • Website, device and analytics data: cookie identifiers, approximate technical location from IP address, browser/device details, page usage, session data, crash/debug information, future app device data and push notification tokens where enabled.
  • Marketing preference data: email preferences, campaign interactions, consent records and unsubscribe information.

We ask users not to upload unnecessary personal data, sensitive personal data, illegal material, unrelated images or information about other people unless it is genuinely needed for the service request or support issue.

How we collect your data

Most personal data is provided directly by you when you:

  • Create or update a customer, provider, staff or admin account.
  • Submit a job request, including a job address, Eircode, description or uploaded photos.
  • Communicate with customers, providers, staff users or support through NAIAQ.
  • Submit or reply to reviews.
  • Set up MFA, verify email codes, add passkeys or generate recovery codes.
  • Subscribe to a provider plan, change billing cycle or complete checkout.
  • Contact us for help, complaints, disputes or account issues.
  • Use our website, dashboards, cookies, emails or future mobile app.

We may also receive limited information from third parties, including Stripe for payment/subscription events, email delivery providers for transactional email status, hosting and security providers, analytics tools where enabled, and other services you choose to connect to NAIAQ.

Purposes and legal bases

The cards below explain why we process personal data, the main data categories involved, the GDPR legal basis and typical retention period.

Account registration and management

Data
Identity, contact, login, role and profile details.
Legal basis
Contract; legitimate interests for account safety and platform administration.
Retention
While the account is active, then usually up to 6 years where needed for legal, tax, fraud or dispute purposes.

Marketplace job matching and communication

Data
Job details, Eircodes, addresses, photos, provider coverage, messages and quotes.
Legal basis
Contract; legitimate interests in operating the marketplace.
Retention
Usually up to 3 years after job completion/closure, longer where required for disputes or legal claims.

Provider accounts, staff and business features

Data
Provider profile, business details, service listings, staff accounts, calendar jobs and role permissions.
Legal basis
Contract; legitimate interests; legal obligation where required.
Retention
While active, then usually up to 6 years for legal, tax, audit or dispute reasons.

Payments and provider subscriptions

Data
Stripe references, subscription status, plan tier, billing cycle, invoices and payment event records.
Legal basis
Contract; legal obligation for accounting and tax records.
Retention
Usually up to 6 years for financial and tax records.

MFA, passkeys, security and fraud prevention

Data
MFA settings, passkey public credential metadata, hashed recovery records, login logs, IP address, user agent and audit events.
Legal basis
Legitimate interests in protecting users, accounts and the platform; contract where security is needed to provide the service.
Retention
Usually up to 1 year for routine logs; longer for security incidents, fraud prevention or legal claims.

Reviews, replies and public content

Data
Ratings, review text, review images, provider replies, service listings and portfolio content.
Legal basis
Legitimate interests in marketplace trust, transparency and service quality; consent where required for certain optional content.
Retention
While displayed or useful for platform trust, unless removal is required by law or policy.

Support, disputes and platform safety

Data
Support messages, attachments, internal notes, dispute records, admin actions and investigation records.
Legal basis
Legitimate interests; contract; legal obligation where applicable.
Retention
Usually up to 2 years after resolution, longer where legal claims, fraud or safety issues require it.

Transactional communications

Data
Email address, phone number where used, message content, invite links, job confirmations, MFA emails and service notifications.
Legal basis
Contract; legitimate interests; legal obligation where required.
Retention
For as long as needed to provide the service and maintain audit/support records.

Marketing communications

Data
Email address, consent status, marketing preferences and campaign interactions.
Legal basis
Consent, or legitimate interests where legally permitted for business-to-business or existing-customer communications.
Retention
Until consent is withdrawn, the user unsubscribes, or the record is no longer needed.

Analytics and service improvement

Data
Usage events, cookie data, device/browser data, performance logs and aggregated analytics.
Legal basis
Consent where required for non-essential cookies; legitimate interests for essential service analytics and security logs.
Retention
Raw analytics/logs usually up to 1 year; aggregated non-identifying statistics may be kept longer.

Retention periods may be extended where necessary for legal claims, regulatory obligations, fraud prevention, platform safety, accounting, audit or dispute resolution.

How we use your data

  • Operate and administer customer, provider, staff and admin accounts.
  • Allow customers to post jobs and providers to respond, ask questions, quote and manage work.
  • Support staff-account invitations, roster/assignment features and staff job access where enabled.
  • Verify account access, enforce role permissions and protect dashboards with MFA and step-up verification.
  • Process provider subscriptions, billing events, invoices and plan changes through Stripe.
  • Display provider profiles, services, portfolio items, reviews and public replies.
  • Provide support, investigate complaints and help resolve disputes.
  • Send transactional emails, invite emails, MFA codes, recovery/security notices and service updates.
  • Improve, test, monitor, debug and secure the NAIAQ platform.
  • Comply with legal, tax, accounting, security and regulatory obligations.
  • Send marketing messages where permitted and respect unsubscribe/consent preferences.

We do not sell personal data. We do not use automated decision-making or profiling that produces legal or similarly significant effects.

Sharing your data

We only share personal data where needed to operate NAIAQ, comply with law, protect users or provide requested services. Recipients may include:

  • Customers and providers: relevant job, quote, contact, messaging, address and service information needed to respond to or perform a requested service.
  • Provider staff users: assigned job and schedule information needed for their role within the provider business.
  • Payment providers: Stripe or other payment processors for provider subscriptions, checkout, invoices and payment event processing.
  • Technology providers: Supabase, hosting/CDN providers, email providers, storage providers, analytics providers, monitoring/security tools and support systems.
  • Professional advisers and insurers: accountants, lawyers, auditors, insurers and advisers where needed.
  • Authorities, regulators and courts: where required by law, legal process, regulatory request, tax/accounting obligation or platform safety requirement.
  • Business transfer recipients: potential buyers, investors, advisers or successors if NAIAQ is involved in a merger, acquisition, investment, restructuring or sale of assets, subject to suitable safeguards.

Where a provider receives customer data through NAIAQ, the provider is responsible for handling that data lawfully and only for the relevant job/service purpose.

International transfers

Where personal data is transferred outside the European Economic Area, we use lawful transfer safeguards where required, such as European Commission adequacy decisions, Standard Contractual Clauses, supplementary measures, or other approved transfer mechanisms.

Some technology providers may process data from locations outside Ireland or the EEA as part of secure hosting, support, email, payment, analytics or infrastructure operations.

Cookies and tracking technologies

NAIAQ uses cookies and similar technologies to keep users signed in, protect accounts, remember preferences, understand how the website is used and support future marketing/analytics features.

Strictly necessary cookies are used to provide the site and account features. Non-essential cookies, such as analytics or marketing cookies, are used only with consent where required.

Our separate Cookie Policy explains cookie categories, purposes, providers and durations.

Your data protection rights

Under GDPR, you have rights over your personal data. These rights are not absolute and may depend on the circumstances, our legal basis for processing and any legal obligations we must keep.

AccessRequest a copy of your personal data.
RectificationAsk us to correct incomplete or inaccurate data.
ErasureAsk us to delete data in certain circumstances.
RestrictionAsk us to temporarily limit processing.
ObjectionObject to legitimate interests processing or direct marketing.
PortabilityAsk us to provide certain data in a transferable format.
Withdraw consentWithdraw consent where processing is based on consent.
ComplainContact the Data Protection Commission if you believe your rights have been breached.

To exercise your rights, contact privacy@naiaq.ie. We may ask for information to verify your identity and will normally respond within one month, unless a lawful extension applies.

Complaints

You can lodge a complaint with the Data Protection Commission if you believe your data has not been handled lawfully.

Data Protection Commission
21 Fitzwilliam Square South,
Dublin 2, D02 RD28, Ireland
Phone: +353 (0)761 104 800
Email: info@dataprotection.ie
Website: https://www.dataprotection.ie

Storage, retention and security

We store personal data on secure systems located in Ireland, the European Economic Area or other approved locations with appropriate safeguards.

We use access controls, encryption where appropriate, audit logging, role-based permissions, multi-factor authentication options, passkeys where enabled, security monitoring, rate limiting, backups and secure development practices to protect data from unauthorised access, accidental loss, misuse, disclosure or alteration.

Only authorised personnel, contractors and service providers may access personal data where needed for their role. They are subject to confidentiality duties and access controls.

No online platform can guarantee absolute security. If you believe your NAIAQ account or personal data has been compromised, contact us immediately at contact@naiaq.ie.

Children

NAIAQ is intended for users aged 18 or over. Users must not create accounts, post jobs, provide services, submit reviews or use dashboards if they are under 18.

If we become aware that a child has provided personal data to NAIAQ, we will take appropriate steps to delete or restrict that data unless we are legally required to keep it.

Changes to this policy

We review this Privacy Policy regularly and update it when we introduce new services, change how we process data, add new providers/processors, update security features or respond to legal or regulatory developments.

When we make material changes, we will take reasonable steps to notify users through the website, dashboard, email, mobile app or another appropriate method.

Document history: Version 1.1, 29 May 2026.